Windows Security Logging and Other Esoterica

thoughts from the Windows auditing team

Farewell for now...

I have resigned from Microsoft and am moving to another company. I hope my blog has been helpful to...

Date: 06/10/2012

Off Topic: Unicode Right-to-Left Override character used by malware

Here's an interesting thing for you security types to be aware of. Many of you probably are careful...

Date: 08/22/2011

An interesting logging regulation that doesn't apply to Windows event logs...

I was browsing around looking for logging regulations and stumbled across this. It's the United...

Date: 05/27/2011

Decoding UAC Flags Values in events 4720, 4738, 4741, and 4742

In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, there are four events...

Date: 04/28/2011

Auditing Changes to Audit Policy

Mitsuru, one of our support engineers in Japan, actually did some excellent research recently into...

Date: 07/16/2010

XPath to generate a list of NTLM authentications on Windows Vista or Later

Hi Everyone, Sas sent me an email complaining that I am not posting as often as I should- sorry...

Date: 05/13/2010

Auditing system impact on performance

UPDATE 2010-06-06 (EricF) - Fixed Vista+ architecture image; link was broken on migration to new...

Date: 08/10/2009

Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+

I've written twice (here and here) about the relationship between the "old" event IDs (5xx-6xx) in...

Date: 06/10/2009

Minimizing Directory Service Audit Event Noise

I've written before on noise reduction in the Windows security event log. I've also written to...

Date: 09/04/2008

Tracking User Logon Activity Using Logon Events

I get the question fairly often, how to use the logon events in the audit log to track how long a...

Date: 08/20/2008

ACS Event Retention Mechanism

I get a lot of questions about how ACS event retention works. So here you go, I'm blogging it so I...

Date: 07/17/2008

ACS' first bug from being too performant

We got several reports recently of a bug in ACS that certain DS Access events, primarily for dnsNode...

Date: 07/16/2008

If you're gonna herd bots, do it from New Zealand!

A judge in New Zealand declined to convict the admitted (guilty plea) botherder of a million-bot...

Date: 07/16/2008

WEvtUtil Scripting

If you haven't used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008,...

Date: 07/16/2008

Ned on Auditing

I often talk about Ned, who is the current subject matter expert in Microsoft product support for...

Date: 04/19/2008

Windows Server 2008 Security Events Posted

Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy...

Date: 04/16/2008

Shameless Self-Promotion

There's one topic that I know is on everyone's mind- no, not American Idol- it's "What's new in...

Date: 03/05/2008

ACS Event Transformation Demystified

I've decided to start dumping my knowledge of ACS for posterity's sake. My first installment is...

Date: 02/27/2008

You learn something new every day- Logon Type 0

Today I encountered something new in the logon event- I thought that was old hat and I knew all...

Date: 02/26/2008

ACS Tidbits

Well there has been a lot happening on my old project, ACS (Audit Collection Services, a feature of...

Date: 02/01/2008

I always wondered who Björn was...

OK here's something I just remembered today. I may be the last person who remembers this so it's...

Date: 01/17/2008

Why does Windows XP generate so many logon failure events?

I got the question last week, why there are so many logon failure events on Windows XP when it is...

Date: 11/09/2007

List of Windows Server 2003 Events

So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published...

Date: 10/12/2007

German court bans retention of logged IP addresses

A German court has ruled that a government web site may not retain IP addresses and other personally...

Date: 10/03/2007

Ensuring that there's no useful data in your logs...

As I wrote about earlier, TorrentSpy, a file-sharing search engine, was ordered by a U.S. magistrate...

Date: 08/31/2007

AT&T Team Up With Apple to Create Large-Scale Log Forwarding System Using Paper & US Postal Service

https://arstechnica.com/news.ars/post/20070811-iphone-bill-is-surprisingly-xbox-huge-lol.html...

Date: 08/12/2007

EZ-Pass Logs Used in Divorce Cases

This one kind of speaks for itself. I guess this is more of a privacy issue than a logging...

Date: 08/10/2007

Documentation on the Windows Vista and Windows Server 2008 Security Events

I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog...

Date: 07/31/2007

United Kingdom passes EC telecom-logging legislation

To comply with EC telecommunications logging directives (as other EU nations recently have), the UK...

Date: 07/31/2007

Good List of Regulatory Requirements for Logging

My friend Dr. Tina Bird has put together a good list of regulatory requirements that pertain to...

Date: 07/10/2007

Draft law in Germany may force telcos & ISPs to gather logs; Gmail Germany may shut down as a result

A draft law (English translation) being proposed in Germany to enforce the European Mandatory Data...

Date: 06/26/2007

Not generating logs is not an option... when you're under subpoena

Working as I do for a company that exists because of copyright, I'm not particularly sympathetic to...

Date: 06/11/2007

The Trouble With Logoff Events

A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity...

Date: 05/08/2007

Enumerating Stuff in AD when all you see is GUIDs in Audit Records

A lot of things in Active Directory audit events show up as GUIDs but are not translated. Why is...

Date: 05/03/2007

Auditing the Creation of Domain Controllers

Special thanks to Raman in the Active Directory team for this one. Ever want to audit the creation...

Date: 05/03/2007

Vista security events get noticed

Doriansoft noticed that there's a relationship between our pre-Vista security event IDs and our...

Date: 04/18/2007

We're #294!

Woohoo! Thank you all for helping push my humble prose into the limelight. Our little community is...

Date: 02/08/2007

Where do I get my information on Windows auditing?

You might want to know where I go to get my information on audit events and so forth. Mostly I go to...

Date: 02/06/2007

Determining Whether a User Logged on Using A Smart Card

I get asked the question pretty regularly how to determine from the security log whether a user...

Date: 02/05/2007

How are object access events generated?

I wrote this as an answer for Tom, who emailed me, but I thought I'd share it with everyone. There...

Date: 10/26/2006

Trustworthiness of Information in Audit Records

I get asked quite often "why is the Workstation name missing from some events?" I've explained that...

Date: 09/20/2006

Auditing and the Payment Card Industry (PCI) Data Security Standard

Here is a link to an interesting blog article interpreting the audit requirement of the PCI...

Date: 09/12/2006

Logs and the US Department of Justice Cybercrime Manual

Source: https://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm Here is the most relevant...

Date: 08/31/2006

Logs and the Canadian Rules for Electronic Evidence

Source: https://laws.justice.gc.ca/en/c-5/232082.html, 8/31/2006 Here are two excerpts from the...

Date: 08/31/2006

ISV Writing Reports for Operations Manager Audit Collector (formerly ACS)

Those of you who know the long and sordid history of ACS (Audit Collection Services, which I blogged...

Date: 06/16/2006

Sharepoint Portal Services Auditing Tool

While searching for something else, I stumbled across this post. Disclaimer: I have never used...

Date: 05/08/2006

LogLogic posts open-source Windows log collection tool

I just became aware that LogLogic has posted an open-source log collection system called Lasso that...

Date: 05/08/2006

A good 3rd-party reference to the Windows security event log

Randy Franklin Smith has a site with a very good reference to security event log events. Randy also...

Date: 03/20/2006

Next>